Techlore Talks

Google just announced a policy that could kill F-Droid and open source app distribution on Android. Marc Prud'hommeaux from F-Droid's Board of Directors calls it an "extinction event"—here's why that matters even if you've never used F-Droid.


🔗 TAKE ACTION
Keep Android Open (sign the petition): https://keepandroidopen.org
F-Droid Website: https://f-droid.org


🧡 SUPPORT TECHLORE
• Become a Techlorian: https://techlore.tech/support/#/portal/signup
• All Support Methods: https://techlore.tech/support/

🔐 MORE FROM TECHLORE
• Homepage & Newsletter: https://techlore.tech
• Our Course, Go Incognito: https://techlore.tech/go-incognito-course/
• Privacy Tools: https://privacytools.techlore.tech/
• VPN Comparison Chart: https://vpn.techlore.tech/

⏱️ TIMESTAMPS
00:00:00 INTRO
00:01:45 PIVOTING TO OPEN SOURCE
00:04:29 WHEN MARC JOINED THE BOARD
00:05:27 APP STORE BREAKDOWN
00:08:23 GOOGLE PLAY STORE VS. F-DROID
00:10:39 MALWARE & APP STORE SAFETY
00:15:45 ARE DEVS AWARE OF MALWARE?
00:17:40 WHY IS F-DROID ONLY ON ANDROID?
00:19:26 GOOGLE'S PLANS FOR ANDROID
00:22:44 HOW BAD IS THIS?
00:24:21 GOOGLE'S REASONING
00:26:21 HOW THIS IMPACTS F-DROID
00:28:42 WEB-BASED F-DROID?
00:30:05 DOES THIS IMPACT OTHER APP STORES?
00:31:35 WHY SHOULD REGULAR USERS CARE?
00:37:09 WHY SHOULD OTHER USERS CARE?
00:39:45 EFFECT ON DEVELOPERS
00:41:29 WHAT ARE THE NEXT STEPS?
00:48:54 WHY IS GOOGLE DOING THIS?
00:51:02 COMPARISON TO EPIC GAMES
00:52:58 IS ANYONE ELSE STEPPING UP?
00:54:31 WHAT KEEPS YOU GOING RIGHT NOW?
00:56:35 WHAT'S NEXT?
01:01:34 FINAL WORDS


🎥 VIDEO
Watch on YouTube

🧡 SUPPORT TECHLORE
Keep Techlore Talks independent & growing: ★ Support this podcast ★

Creators and Guests

Host
Henry Fisher
Runner, artist, musician and digital rights activist. Owner of Techlore
Guest
Marc Prud'hommeaux
F-Droid
Editor
Tori
Techlore

What is Techlore Talks?

Techlore Talks brings you in-depth conversations with the experts at the forefront of privacy, security, and digital rights. Hosted by Henry Fisher, founder of Techlore and long-time digital rights educator, each episode features meaningful discussions with the people building, researching, and advocating for digital freedom.

From cybersecurity researchers and privacy tool developers to open-source advocates and digital rights activists—if they're shaping how we protect ourselves online, they're on this show.

Topics include: privacy tools and technologies, cybersecurity threats and defenses, open-source software, surveillance and digital rights, encryption, tech policy, and digital sovereignty.

New episodes released regularly. Subscribe and join the community at techlore.tech.

it's catastrophic. It's completely incompatible with the way that F-Droid works. So it's,

you know, it's more or less an extinction event for us.

It is an absolute honor to have Mark from F-Droid join me on Techlore Talks. Today,

we talk about some super important things that impact the entire digital rights ecosystem that

are being fought right now as we speak. We talk about F-Droid versus the Google Play Store and the

key differences for what that means to you. We talk about Google's new policies and how this can

FDroid and other open source app stores on the market. We talk about how you can take action

against Google Play service changes. We talk about the implications of centralized app distribution

and also some speculation on why Google might be even doing this in the first place. If you care

about stepping up to big tech and doing the right thing and fighting for open source projects,

this is the podcast for you. We recorded this on November 6th, so please keep that context in mind

for when we're talking about current events.

Okay. I want to welcome Mark from F-Droid on the team.

Do you want to say a few words about yourself and what you work on?

Hi, my name is Mark Perdemo.

I've been a software developer for a very long time, 30-odd years.

I've been developing mobile applications in both the major ecosystems

for the Apple iPhone and for Google Android devices ever since 2008.

And I've worked in a variety of roles and a variety of apps, some very big name brand apps, some very small indie apps, a lot of free and open source applications.

And since last year, I've been a member of the board of directors for the F-Droid project, which is a free and open source mobile app distribution environment.

So how did you go from working, it sounds like more on the mainstream side of things, and then kind of pivoting over to this open source, still somewhat niche app store?

Yeah, well, I mean, it's been a long journey.

Earlier in my career as actually a server side Java developer, and when mobile phones first came out, both when the Android preview was released and then the iPhone app store first went into beta,

very fascinated with the whole you know idea of that and I developed along with

another developer an app called Stanza which was the first electronic book

reader for the iPhone that wound up being very popular so we formed sort of a

startup around that and we worked on that for a while and yeah that was really

sort of my entrance into the environment and ever since you know I first started I

I just loved the idea of being able to have this magical little rectangle that you could put software on.

Anyone could develop software for and anyone could distribute software through.

And then as sort of my career progressed, you know, I joined some larger companies and then I went back to doing smaller projects,

doing some consulting and contracting.

I just came back again and again to how the current constrained distribution environment,

both for the iPhone and the main distribution channel on Android devices, which is the Google

Play Store, were very constraining and very stifling. And that was really what sort of sparked

my interest in like, can there be another way? What is the potential avenue for having

sort of a really free and open app development and distribution environment.

And that was really how I sort of started getting interested in it.

And then, you know, over the years, I sort of developed some ideas around creating my own project,

which would facilitate distribution, the development distribution of these applications.

That's the project I'm still working on called the AppFair project.

And one of those channels would be going through the F-Droid project.

So I started collaborating with them in sort of a lightweight manner at first, and then

got more and more interested in the project until I got to a point where I felt like it

would be beneficial to the project if they sort of had the advantage of kind of an outside

voice like mine who is generally more familiar with industry and things like that, and less

someone who came really from the ground up from inside the free and open source software movement.

And just for timelines, when did you join the board?

The board, I believe I applied late last year and then the election I think was in February of this

year, February or March. Got it. Okay. And then, so, you know, it sounds like you almost have an iOS

background at first. Did I get that correct? Yeah, actually I simultaneously started developing for

both platforms, but it was really the iOS side that kind of took off. And as a small development group,

it's really hard to have more than one platform you're supporting. So yeah, that was sort of how

I kind of fell into the iOS side initially. But actually, I originally started developing for

Android. It was just that that side did not advance as quickly as the iOS side.

Got it. And so if someone's listening to this right now and they're going, okay, you know,

maybe I use an iPhone, maybe I just use a regular Pixel that I buy from Google or a Samsung device,

et cetera, how do you kind of break down this overall concept of app stores? Because,

yeah, people seem to get it on desktop, but not fully on mobile devices yet. So how do you

normally approach this conversation? Yeah. So do you mean, you know, what the app store provides

and how the infrastructure works?

Just expectations over, I guess, software installation

between mobile and desktop.

Right, right.

Yeah, so historically, with desktop computers,

there was no app store.

You would download an application to your desktop

and you would typically run it

sort of in the bad old days of,

or good old days of computing.

And you still do in a lot of environments.

know, there have always been hazards around that. You know, there has always

been malware that can be distributed, viruses and things like that. But for the

most part, it's, you know, worked great. There's a thriving desktop world. Mobile

devices really since they first started, started bundling with them these app

stores, these app marketplaces, and they provide a lot of useful features. They

information about the app. You can you know look at screenshots, you can often

read reviews and things like that. And then you have a sort of an easy way to

obtain the app, you know just by clicking a get button or something. And then if it

is a paid app then you know there's built-in infrastructure being able to

handle that. And then critically it also supports being able to update existing

applications. You know applications always have bugs that need to be fixed. They very often have

security defects that need to be addressed. They have you know new features and improvements that

they want to roll out. And in the days of the desktop you would sort of need to know like oh

you need to go and check to see if there's an update online or even before that you would need

to get a new CD with a new version of say Microsoft Word or something. And app stores really help

remove the friction from that process. You know, you can often configure them to just automatically

install updates for you, which comes with its own set of perils, unfortunately, but that's a really

low friction way to sort of always be up to date with your applications. And it's, you know, it's a

really popular, you know, way to manage it. You know, I don't believe it should be the only way,

But on the iPhone, it is the only way to do it.

And on Android, it is definitely the path of least resistance,

either to use first-party app store, which is typically

the Google Play Store, or maybe the Samsung App Store,

or to use a free and open source alternative like FDroid.

And then can you give me the fundamental differences

between something like FDroid and the Google Play Store?

If somebody hasn't heard of FDroid before,

how do you break that down?

The big, the major difference is that F-Droid is a non-commercial app store.

You wouldn't even really call it a store because we don't sell anything.

There is no, there's no registration, you don't have to sign up, you don't have to

enter your email address, there's no personal information you provide. It's

really just, you know, an app that you can use to browse vetted free and open

source applications. You know, if you sort of look at, you know, look at it in the

simplest way, an App Store is really just an app that installs apps. You know,

unless you browse and search and update and things like that, but it's really just

an app that installs other applications. And so F-Droid essentially takes out the

commercial aspect of the App Store and puts in a requirement that all

applications be free and open source, meaning that 100% of the source code

needed to build that application is publicly available. And that's really the

vetting that we provide, is that we offer trustworthiness because the app

can't sort of hide what it's doing. It can't hide any of its features or

misfeatures. And so people really like to use F-Droid for a lot of different

reasons, but one major reason is for concern over privacy and surveillance. You're pretty much

guaranteed that none of these apps are embedding any of these sort of telemetry spyware kind of

libraries that are tracking what you're doing and then uploading this information to third-party

data brokers and things like that. You really know you can trust what you get from an app store like

F-Droid. And the fact that we don't have any commercial incentive to support things like

in-app purchases, upselling advertisements, and things like that means that when you see that an

app is advertising itself as free, it really is free. It's not some marketing ploy to trick you

into upselling or a free-to-play game where you have to buy gems or something like that.

Yeah, and one of the things that might come to mind, and this is still an ongoing debate because we hear it from Apple, we hear it from Google, is that they are keeping us safe and secure because they are going through and any app developer, let's say they want to install malware on their audience's devices, they're going to upload a malicious version of the app.

and naturally Apple and Google, if they're doing their job correctly, will catch that and prevent it from happening.

So what kind of safety assurances can you offer through Afterroid?

And how's your approach different from that?

Yeah, well, it is fundamentally different.

You know, on one hand, we have it a lot easier.

Because we have a prerequisite in the Afterroid inclusion policies that it be 100% open source,

it's pretty easy to spot when an app is trying to do something bad.

either undermining the security of your operating system or acting as scamware or something,

like trying to intercept your banking credentials,

or just clandestinely surveilling you and uploading that information without your consent.

It's a lot easier for us to identify those scenarios than it is for Apple and Google,

which don't have any requirement that you reveal the source code of the applications you're uploading.

And furthermore, even the developers who are creating the applications that they submit to the Apple App Store and the Google Play Store, they themselves don't always know everything that's going into their applications.

because very often they're using third-party libraries

that purport to be providing useful services.

And really what it's doing is it's gathering telemetry on the user,

uploading it to this third-party service

so that they can profit from it either immediately

or down the road when they can resell your data.

So we really have it a lot easier than they do

in order to provide these sort of security assurances, these security guarantees.

But furthermore, we're not conflicted in what we identify as being malware versus not malware.

There are plenty of people that identify any form of advertising, any form of telemetry as a sort of malware.

But obviously, these are the things that these first-party platform providers themselves profit from.

or, you know, say in-app purchases where you have this sort of casino mentality where, you know, you

pay to win, you pay to get, you know, gems, you, you know, these, these gotcha games and things like

that, you know, they're all skimming a cut off of it. So they are disincentivized from even

considering that that might be a form of malware, whereas we don't have that commercial, you know,

conflict of interest. And so we can just across the board say that these things are not suitable

for our particular marketplace. I appreciate how you bring up this inconsistency of the term malware.

I was in Cyprus just a couple weeks ago with the ad filtering dev summit, where you have some

engineers, you know, from Brave, DuckDuckGo, Firefox, etc. And they're building really cool

stuff. And one of the researchers talked about these insane workarounds that Meta and other social

media apps use to pretty much track users across different applications. And it uses

the Facebook Pixel. So it's so interesting because I don't think most people would consider the

Facebook app on their phone malware because they're like, well, this is a useful tool. But just because

something's a useful tool doesn't mean it doesn't function in a way that's quite exploitive to the

user. And I just wanted to kind of shout that out as a good talking point that you brought up.

Absolutely. I mean, that is a fundamental concern. These services that they provide, these applications, and like in the example of Facebook, this social network that lets you connect with the world, both your friends and local community, as well as broader interest groups.

Those are really valuable and it's pretty amazing that it's provided to you for free in the sense that you do not need to pay any cash directly to them.

But, you know, obviously that is being paid for somehow.

How is that being paid for?

It is gathering as much information and whatever is possible on you so that they can build a profile and advertise to you, have targeted advertisements.

I mean, that's really the one and only reason why they're able to make these, you know, and I will say amazing services, be able to be offered at, you know, zero cost to people.

And that is a fundamental conflict that the creators of these applications have.

And it's a fundamental dilemma for anyone who wants to provide an app store and app distribution service

that authentically works in support of the user's interests

and not in the interests of the individuals or corporations who are developing and creating the application.

Yeah, it's a good stance to take.

And one thing, one little minor question I had, you brought up how some developers don't even know that they are including third-party libraries that include malicious things in them.

And I've heard this quite a lot, actually.

Do you have a ballpark educated guess on what percentage that is?

Like, do you think it's 50-50?

Do you think most developers don't know?

Just kind of prying a little bit there.

Well, so whether or not they are fully aware of every dependency that they have, I'd say the larger the application gets, the less likely they are to really understand every nook and cranny and corner of it.

And I would say any developer who's been around for a while who is including any, you know, third party, you know, telemetry analytics gathering utility probably has a pretty good sense that they are essentially selling out their users, you know, private and intimate information subject to however much the app itself is able to gather, which is contention on how many, you know, entitlements and permissions has been granted.

So I would say, you know, most developers can't really, with a straight face, say that they don't know what they are including.

But they could have plausible deniability in the sense that if something gets eventually, you know,

these frameworks sometimes get marked as malware by the first-party app store owners, you know, by the Google Play Store or the Apple App Store.

And then they're able to identify those applications that use it.

Typically what the done do is they'll warn the application developer that they need to have a new version that removes it.

But, you know, I would say most developers are at least tangentially aware of when they are, you know,

including something that could, at least in theory, be acting against the interests of their users.

Got it. And then the last question I have before we dive into more of the situation going on with Google.

Why does FDroid only exist on Android?

I know it's maybe an obvious question for a lot of our audience members, but if anybody's

new, why is there currently no FDroid for iOS?

And do you think that could change in the future?

Yeah, so it really goes back to the beginnings of both of these ecosystems.

From the very beginning, the iPhone was designed to be a locked down, walled garden environment.

It was only ever really designed to have a single first-party application distribution mechanism,

which is the Apple App Store.

In contrast, from the very beginning of Android, it runs on the Linux kernel.

It comes from a more or less open source foundation, the Android Open Source Project.

And from the very beginning, they had APIs that allow anyone to build an application distribution environment.

Because the Google Play Store was not there from day one.

They wanted independent carriers to be able to develop their own software

and distribute applications in whatever way they see fit.

And it has been wildly successful.

There are dozens of app stores available, especially in China.

There's at least half a dozen major ones with millions of users.

And on other Android environments, there's Samsung, as I mentioned.

Amazon had one up until recently.

There's the Epic Games store and things like that.

So it's really baked pretty deeply into Android

that they have the ability to have anyone

create this application distribution mechanism

because those APIs are just a fundamental part

of the operating system.

Got it.

And so do you want to maybe, it's a good segue,

into how that might be changing

and what Google has announced their plans are.

And so I'd love to kind of hear from you

maybe a summary of what's happening

for people who aren't in the loop.

Just kind of start that conversation.

Yeah, yeah.

So to talk about that,

I'll lead up to it a little bit

by talking about what we term side loading.

So, you know, we've been talking about application stores

and, you know, apps that install other apps.

There's also, you know,

a way of just directly installing applications

on your device.

You can just download an application, you know, usually ends with the suffix APK from any website,

and then, you know, pop up a little screen and say, "Do you want to trust this developer?"

and you say, "Okay," and then installs that app and runs it.

That's actually how you install F-Droid.

You know, you go to the F-Droid website and you click on this and you install it and it starts up.

And then once you've trusted that developer, in the sense that you trust the signing certificate

that the developer has used to sign that application,

then you will be able to automatically install updates

from that same developer without needing to, you know,

re-trust them.

And similarly, if that signature changes,

then the system will warn you,

it's like this was not signed by the same person.

So it's a way of establishing direct sort of consumer

to developer trust without necessarily relying on any middleman,

any app store, you know, in between.

And so that's also a fundamental part of Android.

It's been around since the beginning.

And there are thousands, not tens of thousands,

of applications, popular applications,

that are distributed that way,

including the Apple Music application for Android.

They have their own dedicated page to say,

this is how you can sideload our application.

They have step-by-step instructions.

Yeah, I know it's been around for a long time.

I think it's, you know, Google Play Store is not available

in all markets. And so I think it's a mechanism for them to provide it, you know, largely to these

markets. So yeah, so you know, it's been around forever. And it's been very hands off. None of this

goes through, you know, Google in any way. And so that leads up to a couple of months ago in August,

Google sort of out of the blue, announced they are starting what's called the developer registration

program. And what this program does is it will require all developers everywhere in the world

to register centrally with Google in order to be able to distribute these applications that they

make. So that means that you need to, no matter what country you're in, no matter what jurisdiction,

you need to go to Google, register with your personal information, provide government identification,

pay them a fee, agree to terms and conditions,

and then upload evidence of your signing key.

So essentially you don't need to upload

your private key itself,

but you need to sign a sort of mini app that they send you

to prove that you are the person

who is able to sign applications.

And if you don't do this, then starting next year,

Android itself, all Android devices,

all Android certified devices, will block applications

that have not been verified by Google.

- And so, yeah, do you mind,

like, is this kind of bad?

Is this really bad?

You know, like, what are kind of your stances

on like this kind of proposal?

- I mean, it's catastrophic, especially for F-Droid.

I mean, it's completely incompatible

with the way that F-Droid works

because we don't require that our developers

will be registering with Google

and many have already said straight up

not going to do it. So it's more or less an extinction event for us, which is one of the

reasons why we are so full-throated in our opposition to it. So yeah, it's terrible for

us. It's terrible for anyone who just wants to be able to develop an app and share it directly with

their friends or their family or their community or their church group or anything like that.

It all of a sudden turns it, you know, takes it from a thing where an individual hobbyist can just, you know, spend a weekend developing this neat and useful application to something where you need to go through all of these steps.

You need to provide all this, you know, personal intimate information that you might not be comfortable with sharing with Google.

And you need to register with them all of the identifiers for every application you ever intend to distribute, which might not be something that you're interested in sharing with them.

So it's a massive change.

It completely changes the openness of the platform

from what has always been for the past 18 years.

Yeah, and what are some of the reasons that Google is using

to justify this decision?

And then how do you agree or disagree with some of those

kind of decisions that they're making?

Yes. So, you know, you can look on their web page at the developer registration program. They have a recent blog entry and a YouTube video developers roundtable that, you know, pretty much goes over their rationale, both about how they're going to be implementing it and why.

The one and only reason that they have stated is to prevent repeat malware offenders from being able to operate.

The scenario, somewhat far-fetched scenario, that they lay out is the case where some group develops some sort of malware scam app.

You know, like I said, it may be an app that pretends to be, you know, your bank and intercepts your credentials and then uses it to, you know, to take all your money or something.

Prevent, it won't prevent that because obviously they can just register, you know, like anyone else with, you know, falsified credentials or whatever and develop the app.

What it will prevent is if that app winds up getting identified and zapped by the Google Play Protect services, which is a complete separate service that runs on-device, scans for malware, and then when it identifies it, either warns the user or moves it altogether, depending on the parity.

It will prevent the developers who come up with an app like that from simply being able to turn around and redistribute the same application with a brand new signing key that they didn't have to register anywhere.

So that's really the very narrow hypothetical malware distribution scenario that this particular registration program would potentially be able to mitigate.

And why is that catastrophic for F2WD?

because you said it would be a disaster.

So how does this impact you guys?

Well, so as I mentioned, you know, we don't...

So FDroid has a couple of different modes of operating.

Historically, what would happen would be, you know,

a developer creates a free and open source application.

They host the source code somewhere,

maybe on, you know, GitHub or GitLab or Codeberg

or just on their website.

And then they, you know, they submit to FDroid, essentially a request for inclusion.

And then, you know, we go through and we say, okay, is this really open source?

Is this a kind of application that we want to have on the platform?

And then historically, we would just download that and we would build it and we would sign it with, you know, our own signing key and distribute it.

Trying to move away from that to a much more secure and modern approach,

which is called reproducible builds,

which is that the developer themselves can build their application,

essentially publishing their own APK that someone could download

either directly from your website or through a service like AppDroid.

And what we do is we validate that by essentially just rebuilding that application

and comparing the two and making sure that they match identically.

And what that enables is it enables the developer to use their own signing key to distribute that application,

which is what really permits the trust relationship to be from the user directly with the developer,

and not necessarily just trusting the intermediary App Store.

And we cannot require that our developers register with Google.

There's no mechanism for us to even check that or verify that.

So, you know, if this were to go into effect today, you know, not only would the F-Droid itself stop launching, but all of the apps that we distribute through F-Droid would also just, you know, stop launching and would go dark overnight.

And that's really the fundamental reason that it just doesn't work with the F-Droid model.

Yeah, so I guess what would, and maybe I'm missing something, but with like a web-based F-Droid where you somehow were able to confirm that each developer went through Google's verification successfully, and then you'd have to, there would be no like automatic updates, you'd have to do it one by one.

Is that maybe the best you could even do in that situation?

Best case scenario?

In theory, I mean, if we were not philosophically opposed to this program as well, in theory,

we might be able to do something like that where we would mandate that developers do this.

But we're not going to do that.

Yeah, but still a bad situation.

And the philosophy is definitely something that I think is important that you guys are

sticking to.

I'm just kind of seeing what even a best case scenario would look like for someone who maybe

wanted to even, like if someone didn't have a philosophical issue with this and they were like,

I'll still try to do that. Yeah, I mean, we're not necessarily going to prevent our developers from

doing this as well. Like we essentially, it's up to the developer whether or not they sign on to it.

We recommend against it for right now, at least. But we, you know, nothing stops developers from

doing it, in which case these would just work. It's just we have no way of knowing whether or not

the applications that we distribute are registered or not with Google.

Got it. And then so how does this impact other app stores? Is it the same situation for all other

app stores? Yeah, essentially, which is why we're a little surprised that there's not been more

outcry from other commercial app stores, you know, because, you know, this, you know, as well as being

sort of concerning from privacy reasons and, you know, raising barriers of entry, obviously there's

the fee that they charge for doing this and things like that.

But also, for a commercial competitor to the Play Store,

it ought to be extremely unsettling because all of a sudden,

you need to register with your direct competitor.

You need to have all your app developers register with their direct competitor

in order to be able to distribute through your own app store.

I think that aspect of it maybe has not completely sunk in

with the broader industry.

about this because it ought to be seen as being sort of blatantly competitive. It's a little bit

like if I have a car dealership and I want to sell, you know, my Ford model, I need to require

that everyone first go get approval from Chevrolet in order to be allowed to do it. There's no,

you know, there's no real precedent for anything like this, you know, ever, ever, you know,

happening before in my experience in software. Yeah, and you know, I always dislike asking this

question, but it's something I do have to ask because I don't know. I care. I'm sure a lot of

our audience cares, but let's say someone's just using an iPhone. They just use the Google Play

Store. Let's just call them a typical regular user. Why should they care about this? Yeah, well,

you know, we think that people in general should care about their privacy. People should be more

aware of what these applications are doing, how these applications

impact the information that is being collected from you, often

clandestinely. And in order to provide a check on that, we think it's essential

that there be a open ecosystem, that it should not be monopolized by a single

player, that things should not be gatekept by one single global entity. To

actual useful service that F-Droid has provided is that there was a while ago, there was a

suite of applications, very popular, called Simple Mobile Tools on Android.

And they provided pretty much run-of-the-mill applications.

They have a calendar, they have a camera app, they have scheduling applications, an email

client, sort of a whole mini-suite that you could use to replace the existing pre-installed

sometimes, you know, crapware that comes with your phone with some nice, clean, simple open-source applications.

That was distributed because they were free and open-source on both the Google Play Store and on F-Droid.

And then what happens, as has so often happened with a lot of applications, both in the iOS and in the, you know, Android ecosystem,

is that this app developer wound up getting acquired by a company and all their apps getting acquired.

And then almost immediately, these apps wound up getting,

their source code got closed down,

they started injecting advertisements everywhere,

they started adding in-app purchases that take away features

and put them behind paywalls,

they started adding telemetry and surveillance and things like that.

And so this implied contract that you had with this app developer,

that just vanished overnight, non-consensually.

And since almost everyone has these automatic updates turned on,

the next day, these apps that were formerly ones that you trusted,

suddenly became something that you cannot trust the next day.

However, on the F-Droid side, what happened is because the source code before it had gotten

acquired was still free and open source, an organization called Fossify just took them,

forked them, and then started releasing them, continuing to be these sort of honest, simple,

authentic, free tools, first through F-Droid and then again through the Play Store.

And the identification and the calling out of that was really something,

a lot of, until FDroid removed those applications from the original applications from our App Store,

because they no longer complied with the open source requirement, as well as breaking a lot of other inclusion policy rules,

a lot of users maybe never would have been aware of what had happened and how it had happened.

But instead, a lot of people were like, "Why did these tools suddenly become crummy overnight?"

A lot of forums were saying, "Oh, here's how you get the real ones back. You go and you get this open source one."

If something like FDroid didn't exist, that broader service might not have ever been made available to the rest of the world,

and even had a knock-on effect of being available through the Play Store.

So that's sort of one real and concrete example of a service that having a competitive marketplace like FDroid

has provided for the community.

Yeah, it's quite frustrating.

I mean, there's two things that I see happen all the time.

One, these massive companies steal open source code,

oftentimes not even attributing that code.

I mean, a lot of people to this day,

and I know this is totally a political thing that I'm saying.

It's just the one that came to mind.

But TrueSocial was a complete Mastodon clone.

They totally stole the Mastodon code.

There was references to the Mastodon code.

They kind of sloppily stole it.

Now they do reference it.

I actually went to the website yesterday to confirm that.

And now they say, oh, open source on the bottom, and it links to that.

But all these big tech companies use open source code for different things, and it's very frustrating.

So that's issue one.

But issue two is that even if you use these platforms, people go, well, I've never used Linux, so why do I care?

but if the only two options that existed were macOS and Windows,

they might look very different if Linux wasn't there as that alternative.

And I feel like you guys are in a very similar boat,

that without you checking the Play Store,

the Play Store could look very different for people.

So, yeah, just a bit of a rant on my end.

But yeah, I mean, you're absolutely right.

I mean, even if people are not interested in using Ftroid, you know, directly,

we do have a broader check on the ecosystem,

especially as it pertains to keeping open source players honest.

If something turns bad, if the rug gets pulled, as it so often does,

then we're sort of there to help provide alternatives

and provide sort of a guaranteed safe place that will never be possible in.

So one thing that I did want to also ask about this, this is tied to the Google Play services, as far as I'm aware.

So if you're just using a regular Android device, then this is something that's going to impact you.

However, I got a bajillion comments about this, because I've been doing coverage about this F2OID stuff.

People are like, well, this is why I'm using Lineage OS, which doesn't come with Google Play services.

And, you know, maybe it uses MicroG.

I've seen people using Graphene who go, "Well, I'm using sandbox play services," or "I'm not using any at all."

So why should these people still care about what's going on?

Because there seems to be this idea that, "Oh, I'm not using Google Play services, so I'm unaffected by this."

Yeah, right. So, you know, this does only affect what they call Android-certified devices,

which is devices that are essentially approved by Google.

The requirements for that are that you use Google Play services, that you have the Google Play store at least available as an option on your device.

But as a benefit, you get to use Google Mobile Services, which makes it easier for people to use.

So outside of China, these Android certified devices are well over 95% of all installed devices.

I mean, this is really like the entire universe of Android devices in the world outside of China.

You know, the rest are non-Android certified devices.

They might be custom ROMs.

They might be Lineage OS.

They might be Graphene.

They might, you know, be Calyx.

They could be, you know, PinePhone.

There's, you know, quite a wide variety and thriving, you know, ecosystem that we fully support.

But these are really, you know, one to two percent of all users.

It's not, you're not going to really be installing this on your grandmother's phone,

you know, unless you have a really interesting grandmother.

And, you know, it's, they are right.

And I do see a lot of, you know, kind of crowing from that crowd saying like,

"Yeah, see, this is why I chose this."

And we fully support them, and FDroid is often

the primary app distribution environment for those devices.

But do we really want to sacrifice 95% of the Android users out there

to be subject to this?

I think it's a little bit narrow-sided to say,

"Oh, your solution is just to install Lineage.

That's not a solution for billions of people in the world.

Yeah, and I think something I was thinking about as well,

and maybe I don't know if this is fully true,

so you're a perfect person to ask here.

My understanding, so of course,

this is really only directly going after developers.

This isn't directly going after users at all.

And so what's the downstream effect of the developers

who don't want to continue developing apps

away from the Play Store?

Like that that still will impact those custom ROMs if the developers developing those open source apps they're using aren't able to like

Like will they still develop for that small subset of users?

That's yeah, I mean question. Yeah, I mean I think it remains to be seen we have seen

We have seen a number of developers who you know, I've already said never signing up for this

And I'll probably just stop developing altogether and you know go go do something else

woodworking or something.

You know, I don't know if that is gonna, you know,

be a very widespread protest,

but I think the world is the worst place for it

because those are often the developers who have the most interesting application ideas,

applications that might not fit perfectly well with the Google Play Store's own,

you know, inclusion policies,

that might only be able to be distributed,

you know, through direct download.

You know, sometimes very niche apps, sometimes, you know, apps that they just don't think have commercial viability or not interested in the Play Store.

I'm sure there'll be plenty of people who continue to develop them and are happy to drastically reduce the number of people who are able to install them.

But what that number is, I think only time will tell.

Yeah, and that's something we want to leave up to chance.

So, you know, if someone's hearing this, what is kind of, what are the next steps here?

Like, what are the timelines that Google has proposed?

What can people do that is actionable, that can make a real difference, whether or not

they even use FDroid right now?

What are you kind of sharing with people?

So there's a website that I worked with people on called keepandroidopen.org.

And that essentially lists the call to actions that we think are the most viable.

This is not a direct F-Droid project.

This is actually a project that I just sort of undertook on my own.

And then it turned into about 20 contributors now.

They translated it into five different languages.

Essentially, the calls to action there are based on three target audience groups.

It's consumers, developers, and the state regulators.

people who are the governing bodies around these things.

In terms of consumers, really the most effective thing that you can do is contact your local jurisdictions regulators

and make them aware of your objection to it, why you think that it is problematic.

This will be most effective in areas that have a strong regulatory environment, especially the European Union.

You know, this particular act is in direct contravention of the requirements imposed by the Digital Markets Act.

And I think, you know, regulators need to be made aware of that.

Also, plenty of other countries are looking into, you know, App Store monopolies and regulation around there,

namely Brazil, Japan, the United Kingdom, South Korea are some of the more advanced ones around that.

And then, you know, other ones are sort of following suit, Australia.

But yeah, reaching out directly to regulators, making your own individual voice heard, I think that's really the most powerful thing that consumers can do right now.

Other options are looking into alternative ecosystems, not just installing Ftroid, which by the way, I think everyone should do.

It's just great to have as a backup and a place that you can really go to really trust the applications you get.

But also looking into different ecosystem options for custom ROMs or installing lineage OS.

You might stumble upon a really interesting setup for yourself that works really well for you.

But yeah, the most effective thing that a consumer can do really is to try to make your voice heard.

From developers, the most effective thing you can do right now is do nothing.

Do not sign up for this.

It's in early access right now, but they're going to be opening up developer registration early next year.

Do not add your name to this list.

Do not upload your information.

Do not pay them money for the privilege.

How much money is it, by the way?

It's not much.

I think they have it set right now at $25.

But it's just like, come on.

You're really adding insult to injury.

Don't do any of it.

Just opt out.

There'll always be time later. If it comes down to it on the day, it's going to come into effect.

You can always do it later, but don't do it now.

Is that annual or is that a one-time?

I believe it is one-time, but I don't know if that is set in stone yet.

All their documentation is sort of like subject to change and things like that.

Same with the terms and conditions.

One of the really alarming things about it is that they say,

oh, you just have to sign their terms and conditions.

Of course, they're 100 pages long, and they have all sorts of clauses in them,

especially some really alarming stuff.

But the thing is that these are always changing.

Coming from developing for these commercial app stores,

the Apple App Store and the Play Store,

every month or so you get these updates.

And if you don't click OK, your apps get nuked.

You're pulled from the store.

So everyone is just sort of conditioned in this Pavlovian way to be like,

oh, terms and conditions have updated, click OK.

And if those terms and conditions contain things like,

thou shalt not compete with YouTube services,

or thou shalt not compete with Apple Music,

well, all of a sudden you've just clicked yourself out of business.

So, I mean, that's really the alarming thing about these terms and conditions,

that it's not a one-time thing, but it's a rolling thing,

They can update over time to say anything that they want.

So yeah, so for developers, summary is don't sign up for it.

It's just a bad idea.

And tell your other developer friends not to sign up for it.

And then third is for the state themselves, for governments and regulators.

Look really closely at this, considering how it affects your own country's digital sovereignty.

you are essentially ceding the rights of your developers and your businesses and your governments

to be able to speak directly to your consumers through technology.

I really regard software development and app development as a form of speech.

You're not just providing a tool, you're providing a mode of expression.

And just like the printing press has been a force for advancing the Enlightenment centuries over centuries,

app development is a way of facilitating people to communicate with their environment.

And any time you are allowing essentially a foreign, a distant entity,

especially a for-profit entity that might be competing with their own businesses,

To have a single global kill switch for this, to have a single point of gatekeeping, you're

really, you're giving up a lot for your businesses, for your defense.

To cite one particular example is back in 2021, back when there was a parliamentary election

in Russia and Alexei Naglevi was running against Vladimir Putin, he had an election app that

was available on both the Play Store and the App Store.

And shortly before the election, the Kremlin essentially strong-armed both Google and Apple

to pull that app from their App Store.

And that app disappeared.

The results of the election were probably a foregone conclusion anyway.

But obviously, you know, the current regime won.

Alexei Nikolavi is now dead.

Russia has invaded Ukraine and is on, you know, on the border of the rest of Europe.

So these are not like sort of, you know, hypothetical, you know, out there ideas.

But having a single centralized control to all app distribution focused in, you know,

two companies that are located 10 miles away from each other, it just seems like it ought

to be extremely alarming to every government out there.

And every person. I mean, yeah, when you put it very well there, I think, to really drill the

message home. So I guess an initial question here, why? Like, yes, Google is saying malware,

they're saying security. It's easy to point at it and this is what I've been doing and just say,

oh it's for more control over the platform. Is that kind of the most that you're able to really

attribute this to? Do you think there's any other motives behind it? I know it's all speculative,

you don't know, but do you have any ideas on maybe like what they're actually trying to accomplish

from this? Yeah, I mean, it would be speculation. There's obviously a lot of speculation floating

around. You know, most of it is mostly unsupported. You know, I would say, I think it's fair to say

it's for control, right? They've seen that Apple gets away with this, that Apple gets away with it,

even in areas where it's blatantly illegal, like in the European Union, under the Digital Markets

Act. They see that they've been, you know, flouting that with impunity. And they think that now is

probably the time where they can get away with it. We're obviously in the United States in a pretty

light touch regulatory environment. And so there's not going to be, you know, any serious investigations

on the part of the Federal Trade Commission or the Department of Consumer Affairs, the Justice

Department. That's just not going to be happening. And so, you know, I think they're thinking the time

is now to do it. And not only because of legislation that follows following the Digital

Markets Act in these other countries, but also because of new requirements as a result

of the settlement with Epic Games that is going to mandate that they be able to distribute

third party marketplaces from their own Google Play Store. They want to be able to lock down

as much as possible the potential kinds of applications

that are going to get distributed through there.

And this is the obvious route to being able to do it.

It's funny you brought up Epic Games right now.

I'll take random bullet points as you say certain things.

And my next one that I wanted to ask about,

because I just have to quickly type things out.

Epic Games, LOL, question mark.

And the reason why, I just think it's almost,

I can't find a better word right now other than unhinged of Google to be kind of taking these L's against Epic over this exact thing.

And Google is now simultaneously doing something that's in some ways 10x more extreme than they ever did against Epic.

So, yeah, it's just I don't know if that's a question.

I just find it a bit crazy.

Yeah, no, I mean, it's definitely a crazy time, you know, with the outcome of the lawsuits,

you know, and how different it is between, you know, the lawsuit between Epic and Google

and the one between Epic and Apple, where the outcomes were so wildly divergent.

You know, I'm sure Google has some, you know, very bitter feelings about that and feel like,

you know, why did we get, you know, kind of shafted on this and Apple didn't.

But that was the outcome that happened and was going to be sticking with us for a long time.

But they had to come to some sort of settlement, right?

Like Epic totally won out in the debate about distribution.

And yeah, I think they're doing this to sort of get in front of it, lock things down as much as they can get away with.

which from a commercial, you know, they're not being irrational.

They are a profit-seeking entity,

and they're looking to protect their profits as much as possible.

I don't see it as like, you know, there's no real, like, humanity involved with it.

It's just that they're trying to do what corporations do.

Yeah, so, you know, through this, I'm sure it's very stressful for you all at F-Droid

and a lot of the people that you're close with.

Who else have you kind of seen step up? And, you know, have there been any surprises behind the scenes or like people that you think are doing really good work right now?

Yeah. So, you know, both as FDroid, we obviously communicate with the community, you know, civil society groups, government regulators and things like that.

Also on the keepandroidopen.org site, we are putting up an open letter for people to sign.

And we have quite a lot of people, of signatories that have committed to the open letter,

essentially asking Google to just reverse this policy and not do it.

I mean, opposition has been almost universal, both among the individual groups that we've encountered,

among consumers who are sort of cognizant of the technologies around there, and developers.

I mean, we really haven't seen anyone speaking up in support of this policy

that has at least communicated through any forum whatsoever to us.

I was actually a little bit surprised.

I figured there would be at least someone, some industry group or something,

who was like, no, we actually fully support this.

know, we make banking apps or something and we think it'll be great and prevent scams and stuff.

It's been dead silence. It's really only been Google themselves that has been trying to defend

this and, you know, not very effectively in my view. Yeah. So, you know, what is still kind of,

what still drives you, you know, day to day, given, you know, there is a lot of uncertainty

perhaps in the next year or two. So is there anything that still excites you about this crisis,

maybe outside of this crisis, just kind of how are you grappling with this personally?

Yeah, well, I think a lot of excitement is that there's a lot more awareness than there had been,

even a month or two ago about this. People who had not really even thought about ways of installing

applications you know through the non first-party default you know promoted

app stores are suddenly aware of you know not just F-Droid but of you know

being able to just get apps directly you know it's really popular for things

you know especially things like ad blocking which you know obviously is you

know pretty pretty reduced in its presence in commercial app stores so

that's been there's sort of been a surge of excitement you know around F-Droid

and AlturaVap marketplaces.

It's kind of like what they call the Streisand effect, right?

It was only through, you know, coming out and attacking the project

that, you know, we got, we started getting a lot of attention.

So that's exciting.

And the other exciting thing, I think, is that there's been, you know,

a little more tension on the Apple side of things.

As sort of a separate thing, separate from F-Droid,

I've, over the past year or so,

I've been consulting with various regulatory groups in Europe around the Digital Markets Act and how it should apply to Apple.

And they are saying, well, it really isn't consistently applied between Google and Apple, and it ought not be because they are both designated gatekeepers.

So, you know, I think, I hope that this will maybe open the opportunity for making a case that the Apple ecosystem should be opened up a little bit more,

that there should be an F-troyd for Apple,

and it should not just be constrained to, you know,

one of the duopoly of mobile platforms out there.

Yeah, and, you know, where do you see this potentially going?

Like, do you think the fight's lost?

Do you think it's won?

What's kind of next?

And assuming, you know, worst-case scenarios,

I've seen this, I know this is a lot of questions,

so I'll do my best.

I've seen a lot of people talk about how this is actually

a result of having only two operating systems.

Kind of how I mentioned earlier, Linux just existing

probably has a lot of indirect influence on the other ones.

But there is no real Linux phone.

You know, I know there's PinePhone.

I know there's Librem 5.

I know PostMarketOS.

I know these things exist,

but you already talked about the small percentage

of these, like, alternative Android users.

That's, you know, tiny, tiny, tiny, tiny, tiny.

So do you think that's really something that needs to happen to be fully prevented in the future, for there to be a full ecosystem alternative?

I don't know if that's a cohesive question, but I'll just let you.

Yeah, I mean, definitely.

I mean, the duopoly is essentially a monopoly right now.

You know, you have two different corporate players located, you know, 10 miles from each other with essentially identical policies.

And, you know, we're seeing a shrinking in the difference between these two platforms.

And I think it is really, really harmful.

There is no equivalent to, you know, Linux as a counterweight to the Windows and Mac OS, you know, desktop world.

And, you know, we once upon a time, this was a thriving ecosystem.

You know, you had Nokia, you had Symbian, you know, you had Palm OS and Windows Phone and BlackBerry.

And, you know, you had all sorts of competitors.

And, you know, I don't know if that was necessarily always considered to be a wonderful time, but it was at least a competitive and thriving, you know, marketplace.

And now you have a system where basically the two entities have carved up the market.

You know, Apple more or less takes a 30 percent high, you know, high margin ground and Google takes a 70 percent, you know, rest of it.

And that's pretty much how it has been for the past, you know, five to 10 years.

I do think that competitors need to emerge.

And there are, you know, very interesting potential competitors.

You know, there's, you know, do you even list some more?

There's, you know, Sailfish OS, which is, you know, which is interesting.

You know, there's a lot of potential, but to, you know, these are trillion dollar companies.

And to go up against them, I really think you would need sort of a Manhattan project in order to really create and promote it.

And there is one in China.

It's called HarmonyOS.

And they are, you know, forging forward with it.

Unfortunately, it's just as locked down as those other platforms.

And, you know, I doubt it's going to be seen as a great liberator for, you know, for the world.

But they do provide an example of how with enough, you know, will and state sponsorship,

you can essentially force through a, you know, third option, which is, you know, at least in China,

I think is going to be an emerging

competitor.

Wow. Yeah.

Well, that's the end of all my questions.

The last thing, I just wanted

to say this. It's not a question. It's just a statement.

But this is something

I've heard ever since

I started using FDroid and Android

way back in like 2017,

2018. It's been forever now.

But anytime I pick up

an iPhone or I'm using an iPhone for work because I have to use different devices for different things.

And I hear this from other people I know who have also gotten used to F-Droid.

They say they love their iPhones, but the only thing that's missing is F-Droid. And yeah, so that's

kind of a high praise that I think that I feel and a lot of people feel in my life. And I see it in

our community all the time because there is no really open source ecosystem on the iOS side of

things like there is on the Android side of things. So I just wanted to share a lot of appreciation

that I have for you guys. Oh, great. Well, thank you so much. You know, it really is, we do this

for the users, right? We're not getting paid. There's no money going through the project. It's

really a labor of love and really comes from a belief that like, you know, when you bought a

smartphone, you own it. It's your computer and you should be allowed to put whatever you want on it.

It's just like any other, you know, owning anything else.

And to be able to, you know, act as a counterweight to the forces that are trying to make you think otherwise,

that, you know, are trying to assert that they actually own your device and they are able to reach down into it and do whatever they want.

But, yeah, really, it's for the end users.

And there are not that many other voices out there that are so purely oriented towards the consumer side of the marketplace.

So, yeah, so hearing that, you know, always puts a tickle in my heart.

Yeah.

So, I mean, do you have anything else that you want to share with people before we log off?

And how can people keep up with what's going on in a clean way?

And then also if they want to follow you or F-Troid, what's the best way to do that?

Yeah, definitely.

So, you know, number one, I would say visit, you know, the F-Troid website, follow the blog.

We have RSS feeds and, of course, social media, primarily on Mastodon.

That's a great way to just sort of get in touch with the community.

Obviously, installing F-Droid is a great thing to do if you have an Android phone.

Look around and see if there's anything interesting.

It's not exclusive to other app stores, so you can have it side by side with Google Play or the Samsung App Store or anything like that.

That really helps because the more people that are aware of it, the more they spread the word,

the more we can sort of, you know, fight back against some of these policies.

So, yeah, so that would be the main thing.

And then the other thing that you might want to consider is visiting, you know,

keepandroidopen.org that has, you know, a variety of sort of concrete action items

that people can take, and that will be updated with information about, you know,

sort of the progress of this movement as time evolves.

But I am actually optimistic.

You know, I think, you know, as I said, overwhelming response,

universal response in support of, you know,

keeping this platform open.

I think people are becoming more aware

of why it's important.

And so I have a good feeling

that I think we'll have a good outcome.

Awesome.

Well, thank you for your time, Mark.

I super appreciate it.

And definitely go check out the links.

I'll leave them down in the show notes for all of you.

And I want to thank you for your time.

Thank you so much for having me.

It was great.

It was great chatting.

And that is Mark, everybody.

I really liked this interview

And I left feeling really inspired and I hope that you all felt the same way.

If you want to take action, please go in the description and check out the sources that

we have down there so that you can also help in the fight.

And if you aren't going to do any of that, I at least hope that you all left this a bit

more educated on the systems that kind of make up what your phone actually allows you

to do.

If you enjoy Techlor talks, it wouldn't be possible without our Techlorians who get access

to exclusive perks and communities

and also make it so that we can do this podcast

free for the world and keep it growing

so that it reaches more and more people.

So check out how you can support us down below

and I'll see you all next time on Techlore Talks.